Is Windows 7 safe? Sophos is ready, are you?

October 22nd, 2009 is the official public launch of Microsoft Windows 7. Those of us in the software development, hardware, and large enterprise space have had access to it for a few months now. We have been working to put the final polish on our compatibility, look and feel, and quality assurance testing.

In talking with the press there has been a lot of interest as to how secure Windows 7 is, what improvements there are, and what Microsoft might have missed.

One thing I have not mentioned here previously that I think Microsoft missed is the default behavior of hiding extensions in Windows Explorer and file selection dialogs. Microsoft has defended this decision as intentional and designed to simplify the Windows experience. They believe that legacy file extensions are confusing to the average customer.

I'm not sure about your users, but the PC users I know think of things as being a PDF, Doc, etc. They don't pay much attention to things like the icon Windows presents to them. They have been taught not to open files with extensions like .exe, .scr, and .bat that are known to be potentially dangerous.

This leaves the door open for nasty malware to masquerade as .txt files in users' email and dupes them into opening malicious files. In an enterprise environment, I would recommend using GPOs to change this setting to always show extensions.

I have posted several articles detailing changes made to security in Windows 7, which you can find listed below:

In summary, I would like to remind users of Windows 7 that, as for users who have chosen OS X, Linux, or even Blackberries, much of the risk on the internet today is not OS-targeted malware. Sure, there have been outbreaks of things like Conficker, Virtumundo, and JSRedir (Gumblar) that exploit flaws in Windows, but many attacks are focused on social engineering.

Many users have already decided to move away from Microsoft based on previous bad experiences. This is leading criminals to take new approaches to compromising your data, identity, and finances.

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics.
You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.